🔵Threat Modeling / Hunting / Intelligence
Resources
Checklists & Standards
NIST Checklist Repository
A repository for various security checklists/benchmarks.
STIGs
Security Technical Implementation Guides (STIGs) are a series of cybersecurity requirements for IT products deployed within DoD agencies. STIGs are the source of configuration guidance for network devices, software, databases and operating systems. The aim is to lower the risk of cybersecurity threats, breaches and intrusion by making the set-up of the network as secure as possible.
Microsoft Security Baselines
Real-time Detection
Real-time detection means 24/7 monitoring and continuous log / user behavior analysis to detect and defeat internal/external threats ASAP.
Some basic considerations are :
Log centralization
IDS/IPS implementation
24/7 SOC
SIEM
next-gen firewalls
Alerting system
End-point sensors
Threat Modeling
Threat modeling or attack surface modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
A threat model is a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through the lens of security.
Threat modeling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes.
Thread modeling four question framework:
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good job?
Models
DREAD Model
DREAD stands for Damage, Reproducibility, Exploitability, Affect and Discovery.
The DREAD model is a form of quantitative risk analysis that involves rating the severity of a cyber threat. When you encounter a cyber threat in your business’s information technology (IT) infrastructure, you can use the DREAD model to determine how much damage it has already caused and can cause in the future.
You must assess various key points of the cyber threat while assigning a numbered rating to each of these points. When finished, you can then compare the total rating to that of the DREAD model’s rating system, which should reveal whether the cyber threat has a low, medium or high risk to your business.
Key Points :
Damage (10): What’s the total amount of damage the cyber threat is capable of causing your business?
Reproducibility (9): How easily can other hackers replicate the cyber threat?
Exploitability (8): How much time and energy is required to exploit the threat and, thus, perform a cyber attack against your business?
Affected Users (10): How many people, either inside or outside of your business, will be affected by the cyber threat?
Discoverability (10): Can you easily discover the cyber threat?
STRIDE Model
STRIDE stands for Spoofing, Tampering, Reputation, Information disclosure, DoS and Escalation of privileges.
STRIDE was developed in the late 1990’s by two engineers working at Microsoft, Koren Kohnfelder and Praerit Garg. STRIDE’s threat model accounts for six different threat categories:
PASTA Model
PASTA means "process for attack simulation and threat analysis".
An open-source risk-centric threat modeling methodology that provides a step-by-step process to inject risk analysis and context into an organization’s overall security strategy from the beginning. PASTA encourages collaboration across all stakeholders, creating an environment focused on security.
PASTA has seven stages, with each stage acting as building blocks to one another. This approach allows your threat model to be a linear process and leverage existing security testing activities present within your organization, like code review, third party library analysis, static analysis, and threat monitoring for application infrastructure.
7 steps of PASTA :
Define the Objectives : Focus on what is important to your business. Understand the objectives of each application or product. Objectives may be driven internally or they may be influenced by external partners, clients, or regulatory frameworks.
Define the tactical scope of assets and components : Understand the attack surface, and create a picture of what it is that you are protecting. For each business component identify how they are configured, what dependencies they have on other internal applications, or where third party applications are used.
Application decomposition and identify application controls : Map the relationships between components. Identify users and their roles and permissions, assets, data, services, hardware, and software. Understand where implicit trust models are in place which could be ripe for exploitation, and the application controls that protect high risk web transactions that could become targets for attack.
Threat analysis based on threat intelligence : Research and find the credible threats that affect your industry and products, and build a threat library. Utilise intelligence to understand the latest threats affecting your industry or products, and analyse application logs to understand the behaviours the system is recording, including attacks that existing protections have mitigated.
Vulnerability detection : Map which weaknesses will break under threats. This stage builds on stage 2 which identified the attack surface, and looks for vulnerabilities, design flaws, and weaknesses in the codebase, system configuration, or architecture.
Analyze and model attacks : The aim is to emulate the attacks that could exploit any identified weaknesses or vulnerabilities, and prove that the suspected risks to applications actually are risks. The PASTA threat modelling methodology recommends building attack trees, which map threats, attacks and vulnerabilities, to create a blueprint for how applications can be exploited.
Risk/impact analysis and development of countermeasures : This stage uses the answers from earlier stages, such as what’s important to the organisation (stage 1), what are we working with (stage 2), how do they all work together (stage 3), and what does my threat intelligence tell me about our risks (stage 4) in order to create countermeasures
LINDDUN Model
LINDDUN is short for linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness, noncompliance.
focuses on privacy concerns and can be used for data security. Consisting of six steps, LINDDUN provides a systematic approach to privacy assessment.
LINDDUN starts with a DFD of the system that defines the system's data flows, data stores, processes, and external entities. By systematically iterating over all model elements and analyzing them from the point of view of threat categories, LINDDUN users identify a threat's applicability to the system and build threat trees.
CVSS Model
The Common Vulnerability Scoring System (CVSS) captures the principal characteristics of a vulnerability and produces a numerical severity score. CVSS was developed by NIST and is maintained by the Forum of Incident Response and Security Teams (FIRST) with support and contributions from the CVSS Special Interest Group. The CVSS provides users a common and standardized scoring system within different cyber and cyber-physical platforms. A CVSS score can be computed by a calculator that is available online.
CVSS consists of three metric groups (Base, Temporal, and Environmental) with a set of metrics in each.
A CVSS score is derived from values assigned by an analyst for each metric. The metrics are explained extensively in the documentation. The CVSS method is often used in combination with other threat-modeling methods.
Attack Trees
Using attack trees to model threats is one of the oldest and most widely applied techniques on cyber-only systems, cyber-physical systems, and purely physical systems.
Attack trees are diagrams that depict attacks on a system in tree form. The tree root is the goal for the attack, and the leaves are ways to achieve that goal. Each goal is represented as a separate tree. Thus, the system threat analysis produces a set of attack trees.
In the case of a complex system, attack trees can be built for each component instead of for the whole system. Administrators can build attack trees and use them to inform security decisions, to determine whether the systems are vulnerable to an attack, and to evaluate a specific type of attack.
Persona non Grata
Persona non Grata (PnG) focuses on the motivations and skills of human attackers. It characterizes users as archetypes that can misuse the system and forces analysts to view the system from an unintended-use point of view.
The idea is to introduce a technical expert to a potential attacker of the system and examine the attacker's skills, motivations, and goals. This analysis helps the expert understand the system's vulnerabilities from the point of view of an attacker.
Security Cards
Security Cards identify unusual and complex attacks. They are not a formal method but, rather, a kind of brainstorming technique. With help from a deck of cards (see an example in Figure 6), analysts can answer questions about an attack, such as
Who might attack?
Why might the system be attacked?
What assets are of interest?
How can these attacks be implemented?"
This method uses a deck of 42 cards to facilitate threat-discovery activities: Human Impact (9 cards), Adversary's Motivations (13 cards), Adversary Resources (11 cards), and Adversary's Methods (9 cards).
hTMM Model
hTMM stands for hybrid threat modeling method.
Presents a hybrid method of threat modeling that attempts to meld the desirable features of three methods: Security Cards, Persona non Grata, and STRIDE.
It consists of a combination of SQUARE (Security Quality Requirements Engineering Method), Security Cards, and PnG activities.
Threat Modeling Tools
Microsoft Threat Modeling Tool
An automated tool for creating thread models and estimating the risk and impact for various types of objects. to quickly summarize, the approach involves creating a diagram, identifying threats, mitigating them and validating each mitigation. Here’s a diagram that highlights this process:
This tool is a core element of the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. As a result, it greatly reduces the total cost of development.
Threat Hunting
Threat hunting is a proactive approach to identifying previously unknown or ongoing non-remediated threats within an organizations network.
Threat hunting works based on hypothesis and situation awareness plus related domain expertise. when doing this you should assume that there was a breach somewhere in the system and now you have to find the hole and the intruder.
Hunting Maturity Model
The Hunting Maturity Model (HMM) is a simple model for evaluating an organization's threat hunting capability. It provides not only a "where are we now?" metric, but also a roadmap for program improvement.
The maturity model has 4 levels by which the maturity of threat hunters is determined :
HMM 0 (initial) - automated alerting, limited or no routing data collection
HMM 1 (minimal) - threat intelligence indicator searches and moderate or high level data collection
HMM 2 (procedural) - data analysis procedures created by others, high or very high data collection
HMM 3 (innovative) - create new data analysis procedures, high or very high data collection
HMM 4 (leading) - automate the majority of successful data analysis procedures and high or very high data collection
SANS sliding scale of cyber security
The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security.
Architecture
Passive Defense
Intelligence
Offense
Threat Hunting Tools
Threat Intelligence
Threat intelligence is the analysis of data using tools and techniques to generate meaningful information about existing or emerging threats targeting the organization that helps mitigate risks.
This information may include:
Mechanisms of an attack
How to identify that an attack is happening
Ways different types of attacks might affect the business
Action-oriented advice about how to defend against attacks
Types of threat intelligence:
Strategic Threat Intelligence : provides an overview of the organization’s threat landscape. It is less technical is mainly for executive-level security professionals to drive high-level organizational strategy based on the findings in the reports. Ideally, strategic threat intelligence provides insights like vulnerabilities and risks associated with the organization’s threat landscape with preventive actions, threat actors, their goals, and the severity of the potential attacks.
Tactical Threat Intelligence : consists of more specific details on threat actors TTP and is mainly for the security team to understand the attack vectors. Intelligence gives them insights on how to build a defense strategy to mitigate those attacks. The report includes the vulnerabilities in the security systems that attackers could take advantage of and how to identify such attacks.
Operational Threat Intelligence : focuses on knowledge about the attacks. It gives detailed insights on factors like nature, motive, timing, and how an attack is carried out. Ideally, the information is gathered from hacker chat rooms or their discussion online through infiltration, which makes it difficult to obtain.
Tactical Intelligence
CTI Pyramid of Pain
represents the amount of pain you can inflict on advanced adversaries.
If you are going to use the only hash value, IP address for threat detection, attackers going to step ahead of you, they can easily change the hash value and IP address and use different tools and techniques to attain their motive. So try to find as many as details like attacker tools, techniques. These are all difficult for an attacker to change from one attack to another.
By fetching all the details on the pyramid, we are on the track and expertise in threat intelligence and it will be useful to get the full picture of the threat and threat actors.
CTI Life cycle:
Planning– Determine the purpose,objective and requirements of CTI.
Collection– Collecting data from various sources
Processing- Process the collected information and make it ready for anlaysis.
Analysis– Analysing the data and transforming it into intelligence and making it ready for sharing.
Dissemination– Sharing threat intellegince data
Feedback– Acquire and analyse stakeholder feedbacks.
Resources
Comparison
Threat Intelligence vs Threat Hunting
Threat Hunting | Threat Intelligence |
---|---|
track APT activities inside your own organization | track global APT activities, news, known bads |
monitoring and analysis of suspicious activities/events | monitoring and analysis of breach reports and global incidents |
detect the adversary in action, sop their advance, prevent exfiltration | knowing the adversary beforehand, early warning and mitigation |
Threat Hunting vs Real-time Detection
Real-time Detection | Threat Hunting |
---|---|
relies on known bads | hunt environment for unknown bads |
generates alerts that are to be further investigated by analysts | generates confirmed incidents which trigger incident response |
typically highly automated | can partially leverage automation but majority is manual effort |
can leverage IoCs | can generate IoCs |
Last updated